Re: [blink-dev] Proposal: Marking HTTP As Non-Secure

On 3 Jan 2015, at 20:55, Jim Manico <jim.manico@owasp.org> wrote:

>> It's one of the reasons I'm really pushing for a security tab in the web dev tools, to help with education and usage of the features that are available... i.e. have you tried implementing a CSP header before? it's good fun :-)
> 
> Cool. I'm running CSP on several of my sites. Easy to set up for new
> development, lots of tools out there to make it easier. script hashing
> and script noncing are awesome. I can even easily protect inline
> scripts now...
> 
> Building complex websites is very tough. Security is just another
> engineering task... :)



Very true... but I personally don't think we have the tools in place to help developers know about (or use) these security features... e.g. any feedback for a failed HPKP header?

https://code.google.com/p/chromium/issues/detail?id=445793

But either way, well done with using CSP... personally I'm still not sure about using inline JS with nonces/hashes as I don't want to block out older browsers.

Which reminds me, I need to find out which browser versions don't understand paths after the domain name, as I want to specify them, but will need to do some UA sniffing to strip the paths for them... I have a feeling it might be Firefox, where v34 seems to ignore the path (only working against the domain), but I think an earlier version dropped the whole thing (blocking everything).

But getting back to marking HTTP as non-secure... all of these features are useless without HTTPS (easy to strip the CSP header over HTTP)... and that's why the more generic solution seems to be the only way, especially as ianG points out, this is the perfect time to be doing this (not that I don't like your idea of alerting users about passwords, I just think there are too many ways around it to be effective).

Craig

Received on Wednesday, 7 January 2015 10:35:39 UTC